SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
(Oracle Issues Fix for Oracle Linux) Samba Multiple Flaws Let Remote Users Hijack Connections, Obtain Potentially Sensitive Information, and Deny Service
SecurityTracker Alert ID:  1035555
SecurityTracker URL:  http://securitytracker.com/id/1035555
CVE Reference:   CVE-2015-5370, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, CVE-2016-2118   (Links to External Site)
Date:  Apr 13 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.0 to 4.4.0
Description:   Multiple vulnerabilities were reported in Samba. A remote user can cause denial of service conditions on the target system. A remote user can hijack connection. A remote user can obtain potentially sensitive information on the target system.

A remote authenticated user can exploit a missing error check in dcesrv_auth_bind_ack() in the DCE/RPC protocol implementation to cause excessive CPU consumption on the target system or cause the target service to crash or execute arbitrary code [CVE-2015-5370]. Versions 3.6.0 to 4.4.0 are affected.

The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can hijack the target connection [CVE-2016-2110].

The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can spoof a system name to a Domain Controller and obtain session-related information about the spoofed system [CVE-2016-2111].

The LDAP implementation does not enforce integrity protection for LDAP connections. A remote user that can conduct a man-in-the-middle attack can downgrade the target LDAP connection to use no integrity protection and gain access to the connection [CVE-2016-2112].

A remote user that can conduct a man-in-the-middle attack can gain access to LDAP connection [CVE-2016-2113]. Versions 4.0.0 to 4.4.0 are affected.

The system does not enforce the mandatory server signing configuration setting. As a result, a remote user can conduct a man-in-the-middle attack to hijack SMB1 connections [CVE-2016-2114]. Versions 4.0.0 to 4.4.0 are affected.

The IPC implementation does not enforce integrity protection by default. A remote user that can conduct a man-in-the-middle attacker can view and modify data sent via the IPC connection [CVE-2016-2115].

A remote user that can conduct a man-in-the-middle attack against DCE/RPE connections can impersonate the target user against the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations to obtain read/write access to the target Security Account Manager database [CVE-2016-2118]. This can be exploited to obtain passwords in the database. Versions 3.6.0 to 4.4.0 are affected.

[Editor's note: Microsoft Windows is also affected by this vulnerability, as described in CVE-2016-0128 (Alert ID 1035534). This vulnerability is known as "Badlock".]

Jouni Knuutinen of Synopsys reported the dcesrv_auth_bind_ack() vulnerability. Stefan Metzmacher of SerNet (https://samba.plus) reported the other vulnerabilities.

Impact:   A remote user can cause denial of service conditions.

A remote user can obtain potentially sensitive information on the target system.

A remote user can hijack connections.

Solution:   Oracle has issued a fix for CVE-2015-5370, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, and CVE-2016-2118.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2016-0612.html

Vendor URL:  linux.oracle.com/errata/ELSA-2016-0612.html (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Apr 13 2016 Samba Multiple Flaws Let Remote Users Hijack Connections, Obtain Potentially Sensitive Information, and Deny Service



 Source Message Contents

Subject:  [El-errata] ELSA-2016-0612 Critical: Oracle Linux 6 samba and samba4 security, bug fix, and enhancement update

Oracle Linux Security Advisory ELSA-2016-0612

http://linux.oracle.com/errata/ELSA-2016-0612.html

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
ipa-admintools-3.0.0-47.el6_7.2.i686.rpm
ipa-client-3.0.0-47.el6_7.2.i686.rpm
ipa-python-3.0.0-47.el6_7.2.i686.rpm
ipa-server-3.0.0-47.el6_7.2.i686.rpm
ipa-server-selinux-3.0.0-47.el6_7.2.i686.rpm
ipa-server-trust-ad-3.0.0-47.el6_7.2.i686.rpm
ldb-tools-1.1.25-2.el6_7.i686.rpm
libldb-1.1.25-2.el6_7.i686.rpm
libldb-devel-1.1.25-2.el6_7.i686.rpm
libtalloc-2.1.5-1.el6_7.i686.rpm
libtalloc-devel-2.1.5-1.el6_7.i686.rpm
libtdb-1.3.8-1.el6_7.i686.rpm
libtdb-devel-1.3.8-1.el6_7.i686.rpm
libtevent-0.9.26-2.el6_7.i686.rpm
libtevent-devel-0.9.26-2.el6_7.i686.rpm
openchange-1.0-7.el6_7.i686.rpm
openchange-client-1.0-7.el6_7.i686.rpm
openchange-devel-1.0-7.el6_7.i686.rpm
openchange-devel-docs-1.0-7.el6_7.i686.rpm
pyldb-1.1.25-2.el6_7.i686.rpm
pyldb-devel-1.1.25-2.el6_7.i686.rpm
pytalloc-2.1.5-1.el6_7.i686.rpm
pytalloc-devel-2.1.5-1.el6_7.i686.rpm
python-tdb-1.3.8-1.el6_7.i686.rpm
python-tevent-0.9.26-2.el6_7.i686.rpm
samba4-4.2.10-6.el6_7.i686.rpm
samba4-client-4.2.10-6.el6_7.i686.rpm
samba4-common-4.2.10-6.el6_7.i686.rpm
samba4-dc-4.2.10-6.el6_7.i686.rpm
samba4-dc-libs-4.2.10-6.el6_7.i686.rpm
samba4-devel-4.2.10-6.el6_7.i686.rpm
samba4-libs-4.2.10-6.el6_7.i686.rpm
samba4-pidl-4.2.10-6.el6_7.i686.rpm
samba4-python-4.2.10-6.el6_7.i686.rpm
samba4-test-4.2.10-6.el6_7.i686.rpm
samba4-winbind-4.2.10-6.el6_7.i686.rpm
samba4-winbind-clients-4.2.10-6.el6_7.i686.rpm
samba4-winbind-krb5-locator-4.2.10-6.el6_7.i686.rpm
tdb-tools-1.3.8-1.el6_7.i686.rpm

x86_64:
ipa-admintools-3.0.0-47.el6_7.2.x86_64.rpm
ipa-client-3.0.0-47.el6_7.2.x86_64.rpm
ipa-python-3.0.0-47.el6_7.2.x86_64.rpm
ipa-server-3.0.0-47.el6_7.2.x86_64.rpm
ipa-server-selinux-3.0.0-47.el6_7.2.x86_64.rpm
ipa-server-trust-ad-3.0.0-47.el6_7.2.x86_64.rpm
ldb-tools-1.1.25-2.el6_7.x86_64.rpm
libldb-1.1.25-2.el6_7.i686.rpm
libldb-1.1.25-2.el6_7.x86_64.rpm
libldb-devel-1.1.25-2.el6_7.i686.rpm
libldb-devel-1.1.25-2.el6_7.x86_64.rpm
libtalloc-2.1.5-1.el6_7.i686.rpm
libtalloc-2.1.5-1.el6_7.x86_64.rpm
libtalloc-devel-2.1.5-1.el6_7.i686.rpm
libtalloc-devel-2.1.5-1.el6_7.x86_64.rpm
libtdb-1.3.8-1.el6_7.i686.rpm
libtdb-1.3.8-1.el6_7.x86_64.rpm
libtdb-devel-1.3.8-1.el6_7.i686.rpm
libtdb-devel-1.3.8-1.el6_7.x86_64.rpm
libtevent-0.9.26-2.el6_7.i686.rpm
libtevent-0.9.26-2.el6_7.x86_64.rpm
libtevent-devel-0.9.26-2.el6_7.i686.rpm
libtevent-devel-0.9.26-2.el6_7.x86_64.rpm
openchange-1.0-7.el6_7.x86_64.rpm
openchange-client-1.0-7.el6_7.x86_64.rpm
openchange-devel-1.0-7.el6_7.x86_64.rpm
openchange-devel-docs-1.0-7.el6_7.x86_64.rpm
pyldb-1.1.25-2.el6_7.x86_64.rpm
pyldb-devel-1.1.25-2.el6_7.x86_64.rpm
pytalloc-2.1.5-1.el6_7.x86_64.rpm
pytalloc-devel-2.1.5-1.el6_7.x86_64.rpm
python-tdb-1.3.8-1.el6_7.x86_64.rpm
python-tevent-0.9.26-2.el6_7.x86_64.rpm
samba4-4.2.10-6.el6_7.x86_64.rpm
samba4-client-4.2.10-6.el6_7.x86_64.rpm
samba4-common-4.2.10-6.el6_7.x86_64.rpm
samba4-dc-4.2.10-6.el6_7.x86_64.rpm
samba4-dc-libs-4.2.10-6.el6_7.x86_64.rpm
samba4-devel-4.2.10-6.el6_7.x86_64.rpm
samba4-libs-4.2.10-6.el6_7.x86_64.rpm
samba4-pidl-4.2.10-6.el6_7.x86_64.rpm
samba4-python-4.2.10-6.el6_7.x86_64.rpm
samba4-test-4.2.10-6.el6_7.x86_64.rpm
samba4-winbind-4.2.10-6.el6_7.x86_64.rpm
samba4-winbind-clients-4.2.10-6.el6_7.x86_64.rpm
samba4-winbind-krb5-locator-4.2.10-6.el6_7.x86_64.rpm
tdb-tools-1.3.8-1.el6_7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/ipa-3.0.0-47.el6_7.2.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/libldb-1.1.25-2.el6_7.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/libtalloc-2.1.5-1.el6_7.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/libtdb-1.3.8-1.el6_7.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/libtevent-0.9.26-2.el6_7.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/openchange-1.0-7.el6_7.src.rpm
http://oss.oracle.com/ol6/SRPMS-updates/samba4-4.2.10-6.el6_7.src.rpm



Description of changes:

ipa
[3.0.0-47.el6.2]
- Update IPA code to support Samba 4.2
- Related: #1322688

libldb
[1.1.25-2]
- Fix the python-ldb requires
- Related: rhbz#1322688

[1.1.25-1]
- Rebase to upstream 1.1.25
- Related: rhbz#1322688

libtalloc
[2.1.5-1]
- Rebase to 2.1.5
- Remove upstreamed patch to enable verbose build
- Related: rhbz#1322688

libtdb
[1.3.8-1]
- Rebase libtdb to 1.3.8
- related: #1322688

libtevent
[0.9.26-2]
- temporarily disable make check, which keeps failing in mock despite
   working correctly on a full system
- Related: rhbz#1322688

[0.9.26-1]
- Rebase libtevent to 0.9.26
- Remove upstreamed or no longer applicable patches
- Related: rhbz#1322688

openchange
[1.0-7]
- Add a patch to fix connection string (Related: #1322688)

samba4
[4.2.10-6]
- Fix domain member winbind not being able to talk to trusted domains' DCs
- Related: #1322688

[4.2.10-5]
- Fix crash in smb.conf processing
- Related: #1322688

[4.2.10-4]
- Fix LDAP SASL handling for arcfour-hmac-md5
- resolves: #1322688

[4.2.10-3]
- Make sure the package owns /var/lib/samba and uses it for cache purposes
- resolves: #1322688

[4.2.10-2]
- Remove ldb modules which only needed for DC build
- resolves: #1322688

[4.2.10-1]
- resolves: #1322688


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC